CVE Data Sources (Archived)

Introduction

From 1999 through November 2013, numerous organizations in the information
security community provided CVE with vulnerability information that helped MITRE
create new CVE Identifiers. This information was provided to MITRE in the form
of "submissions," which were derived from the submitting data source’s
vulnerability databases, probe lists from assessment tools, periodic
vulnerability summaries, etc.

With multiple submissions from different organizations (a process which continues today, see
Data Sources/Product Coverage for current information), MITRE had a richer set of information to use when creating CVE Identifiers. This improved the quality of those CVE Identifiers, which in turn made CVE more useful to all parties. For example, the resulting CVE Identifiers may
have provided additional references for people to include in their own databases. Also, since CVE did not rely on any one source, it had a better chance of identifying all publicly known security problems, which then provided a more comprehensive set of vulnerabilities and exposures for everyone. (Note that all data sources made decisions about which vulnerabilities or exposures they included in their own databases. They may have excluded a security problem from their own database because it was not sufficiently proven to exist, there was incomplete information, the problem was not important to the data source’s customers, etc.)

Each CVE data source received a "backmap," which linked its own database items to the resulting CVE names. This helped reduce the amount of labor that the data source had to perform when mapping their database to CVE names.

Individuals from the organizations noted below provided MITRE with vulnerability information (e.g., vulnerability databases, probe lists from assessment tools, periodic vulnerability summaries, etc.). The MITRE Corporation thanks all of these organizations for their contributions as data sources to the CVE Initiative
during this time period.

Older Sources

Data Sources for Legacy Security Problems, Summer 2000

CVE was created in 1999. A large number of vulnerabilities and exposures were discovered and publicized before then. These are referred to as "legacy problems." While CVE includes the most serious and well-known legacy problems, there
was in Summer 2000 a backlog of other legacy problems that still needed to be assigned a CVE name.

During summer 2000, the following organizations provided MITRE with stripped copies of their entire vulnerability databases. These databases
helped MITRE to create more legacy CVE names, which in turn made CVE more comprehensive with respect to "legacy" vulnerabilities and exposures.

Data Sources for Legacy Security Problems, Winter 1999

In November and December of 1999, MITRE requested organizations to provide a "top 100 list" of vulnerabilities and exposures that they wanted to see in CVE. Over 800 submissions were provided. Those submissions helped expand CVE to more than 500 entries (Version 20000118).

Data Sources for the Draft CVE, Spring-Summer 1999

Before CVE was publicly released in September 1999, a "draft CVE" was created and submitted to the Editorial Board for feedback. ISS (later acquired by IBM), L-3 Security (later acquired by Symantec), SANS, and Netect (later acquired by BindView, which was later acquired by Symantec) provided information that was used to help create the draft CVE. Data was also drawn from other sources including Bugtraq and NTBugtraq posts, CERT advisories, and security tools such as Network Associates, Inc.'s (later acquired by
McAfee, Inc.) CyberCop Scanner, Cisco’s NetSonar, and AXENT's (later acquired by
Symantec) NetRecon.